dotgpg — easy to use storage for your production secrets

Conrad Irwin — Jan 2014

Where are your database passwords? your cookie encryption keys? your SSL certificates?

The most common answers are "in git" and "in Dropbox". Hopefully with a guilty squirm and followed by an awkward "it's on my todo list"...

Storing production secrets on cloud services in plain text is very tempting but it's obviously insecure. We've seen hacks via API keys in git, we've seen Dropbox passwords leak.

Luckily, help is at hand!

Announcing dotgpg

dotgpg is an easy to use tool that lets you read and write encrypted files in your favourite text editor. It maintains an access list so that each file can be decrypted by everyone on your team, but no one else.

As encrypted files are still "just files" you can store them in git or Dropbox so that they're easy to share. Obviously if you're really paranoid a USB stick in a locked drawer might be safer, until your co-workers gang up on you...

Under the hood dotgpg is using the battle-tested GnuPG library. So unless someone gets access to your laptop and you chose a weak passphrase it's highly unlikely anyone malicious can decrypt them.

What can I store in dotgpg?

Dotgpg was designed for storing production secrets. Things like API keys or database passwords that your app needs to run. At Bugsnag we use dotenv in production, and store the master copy of our .env file inside dotgpg. We then check this dotgpg directory into git, so we can go back and see old versions if someone makes a mistake.

At Rapportive we used dotgpg's ancestor to share passwords for things like Pingdom for which we all logged into the same account. We put the encrypted files in Dropbox so that changes propogated automatically to everyone.

At LinkedIn the second version of the system was used to encrypt the SSL certificates that my team needed. We then stored the encrypted files on USB sticks locked in a drawer, just to be sure.

I also use it for encrypting the secrets in my personal backups. At the moment that includes ssh keys, gem signing certificates and emergency two-factor-auth codes. (My passwords are now in a system with a browser extension, but I used to use gpg for those as well).

How easy is it really?

While GPG is amazing at encrypting stuff, the user-interface leaves a lot to be desired. With dotgpg I've removed as many options and operations as possible, and boiled it down to two every-day commands.

  1. dotgpg cat decrypts a file and pipes it to standard out.
  2. dotgpg edit opens a file in your $EDITOR and re-encrypts it when you're done.

To get started is even simpler, just run dotgpg init to create a new directory and then dotgpg edit to create files within it.

Adding collaborators is also pretty quick. They run dotgpg key on their computer and then send the key to you (by Dropbox, email, whatever suits). You then run dotgpg add on your computer to add them to the access list.

How secure is it?

Secure enough for me. If you still have your Rails secret_key_base or SSL certificates in cloud services unencrypted, then it's more than secure enough for you too. The easiest way to get more secure than dotgpg is to store everything on a USB stick offline, but this is too inconvenient for many people.

That said, dotgpg is only designed to add an extra layer of protection if someone gets into your git or Dropbox. If an attacker gets access to your laptop you should probably assume that they will guess your password and decrypt your files.

For more information see the security section of the README. If you have concerns, please email me.

Installation

Full instructions, including use without ruby, are available on the README. But if you want to dive straight in, just

(sudo) gem install dotgpg

Please file an issue if you have difficulties, and feel free to get in touch if you need a hand!